Skip to content

Commit

Permalink
Merge pull request #1192 from balena-os/ryan/permissions
Browse files Browse the repository at this point in the history
Explicitly set GITHUB_TOKEN permissions for yocto workflow
  • Loading branch information
flowzone-app[bot] authored Dec 3, 2024
2 parents 6fc78d1 + fe8889f commit 9293e09
Show file tree
Hide file tree
Showing 18 changed files with 201 additions and 90 deletions.
17 changes: 12 additions & 5 deletions .github/workflows/npe-x500-m3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,10 @@ on:
- master
# ESR branches glob pattern
- 20[0-9][0-9].[0-1]?[1470].x
# pull_request_target:
# branches:
# - main
# - master
pull_request_target:
branches:
- main
- master
push:
tags:
# Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH)
Expand All @@ -31,10 +31,17 @@ on:
type: string
default: balena-staging.com

permissions:
id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
packages: read
contents: read

jobs:
yocto:
name: Yocto
uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@d8d6b50ec334769cfc000ef8b619cfb35a5a65d5 # v1.27.8
uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master
# Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events.
# Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork.
# This condition will prevent the workflow from running twice for the same pull request while
Expand Down
16 changes: 11 additions & 5 deletions .github/workflows/raspberrypi.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,10 @@ on:
- master
# ESR branches glob pattern
- 20[0-9][0-9].[0-1]?[1470].x
# pull_request_target:
# branches:
# - main
# - master
pull_request_target:
branches:
- main
- master
push:
tags:
# Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH)
Expand All @@ -31,11 +31,17 @@ on:
type: string
default: balena-staging.com

permissions:
id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
packages: read
contents: read

jobs:
yocto:
name: Yocto
uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@d8d6b50ec334769cfc000ef8b619cfb35a5a65d5 # v1.27.8
uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master
# Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events.
# Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork.
# This condition will prevent the workflow from running twice for the same pull request while
Expand Down
16 changes: 11 additions & 5 deletions .github/workflows/raspberrypi0-2w-64.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,10 @@ on:
- master
# ESR branches glob pattern
- 20[0-9][0-9].[0-1]?[1470].x
# pull_request_target:
# branches:
# - main
# - master
pull_request_target:
branches:
- main
- master
push:
tags:
# Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH)
Expand All @@ -31,11 +31,17 @@ on:
type: string
default: balena-staging.com

permissions:
id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
packages: read
contents: read

jobs:
yocto:
name: Yocto
uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@d8d6b50ec334769cfc000ef8b619cfb35a5a65d5 # v1.27.8
uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master
# Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events.
# Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork.
# This condition will prevent the workflow from running twice for the same pull request while
Expand Down
16 changes: 11 additions & 5 deletions .github/workflows/raspberrypi2.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,10 @@ on:
- master
# ESR branches glob pattern
- 20[0-9][0-9].[0-1]?[1470].x
# pull_request_target:
# branches:
# - main
# - master
pull_request_target:
branches:
- main
- master
push:
tags:
# Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH)
Expand All @@ -31,11 +31,17 @@ on:
type: string
default: balena-staging.com

permissions:
id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
packages: read
contents: read

jobs:
yocto:
name: Yocto
uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@d8d6b50ec334769cfc000ef8b619cfb35a5a65d5 # v1.27.8
uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master
# Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events.
# Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork.
# This condition will prevent the workflow from running twice for the same pull request while
Expand Down
16 changes: 11 additions & 5 deletions .github/workflows/raspberrypi3-64.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,10 @@ on:
- master
# ESR branches glob pattern
- 20[0-9][0-9].[0-1]?[1470].x
# pull_request_target:
# branches:
# - main
# - master
pull_request_target:
branches:
- main
- master
push:
tags:
# Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH)
Expand All @@ -31,11 +31,17 @@ on:
type: string
default: balena-staging.com

permissions:
id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
packages: read
contents: read

jobs:
yocto:
name: Yocto
uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@d8d6b50ec334769cfc000ef8b619cfb35a5a65d5 # v1.27.8
uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master
# Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events.
# Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork.
# This condition will prevent the workflow from running twice for the same pull request while
Expand Down
16 changes: 11 additions & 5 deletions .github/workflows/raspberrypi3-unipi-neuron.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,10 @@ on:
- master
# ESR branches glob pattern
- 20[0-9][0-9].[0-1]?[1470].x
# pull_request_target:
# branches:
# - main
# - master
pull_request_target:
branches:
- main
- master
push:
tags:
# Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH)
Expand All @@ -31,11 +31,17 @@ on:
type: string
default: balena-staging.com

permissions:
id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
packages: read
contents: read

jobs:
yocto:
name: Yocto
uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@d8d6b50ec334769cfc000ef8b619cfb35a5a65d5 # v1.27.8
uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master
# Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events.
# Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork.
# This condition will prevent the workflow from running twice for the same pull request while
Expand Down
16 changes: 11 additions & 5 deletions .github/workflows/raspberrypi3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,10 @@ on:
- master
# ESR branches glob pattern
- 20[0-9][0-9].[0-1]?[1470].x
# pull_request_target:
# branches:
# - main
# - master
pull_request_target:
branches:
- main
- master
push:
tags:
# Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH)
Expand All @@ -31,11 +31,17 @@ on:
type: string
default: balena-staging.com

permissions:
id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
packages: read
contents: read

jobs:
yocto:
name: Yocto
uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@d8d6b50ec334769cfc000ef8b619cfb35a5a65d5 # v1.27.8
uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master
# Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events.
# Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork.
# This condition will prevent the workflow from running twice for the same pull request while
Expand Down
16 changes: 11 additions & 5 deletions .github/workflows/raspberrypi4-64.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,10 @@ on:
- master
# ESR branches glob pattern
- 20[0-9][0-9].[0-1]?[1470].x
# pull_request_target:
# branches:
# - main
# - master
pull_request_target:
branches:
- main
- master
push:
tags:
# Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH)
Expand All @@ -31,11 +31,17 @@ on:
type: string
default: balena-staging.com

permissions:
id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
packages: read
contents: read

jobs:
yocto:
name: Yocto
uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@d8d6b50ec334769cfc000ef8b619cfb35a5a65d5 # v1.27.8
uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master
# Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events.
# Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork.
# This condition will prevent the workflow from running twice for the same pull request while
Expand Down
16 changes: 11 additions & 5 deletions .github/workflows/raspberrypi4-superhub.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,10 @@ on:
- master
# ESR branches glob pattern
- 20[0-9][0-9].[0-1]?[1470].x
# pull_request_target:
# branches:
# - main
# - master
pull_request_target:
branches:
- main
- master
push:
tags:
# Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH)
Expand All @@ -31,11 +31,17 @@ on:
type: string
default: balena-staging.com

permissions:
id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
packages: read
contents: read

jobs:
yocto:
name: Yocto
uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@d8d6b50ec334769cfc000ef8b619cfb35a5a65d5 # v1.27.8
uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master
# Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events.
# Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork.
# This condition will prevent the workflow from running twice for the same pull request while
Expand Down
16 changes: 11 additions & 5 deletions .github/workflows/raspberrypi4-unipi-neuron.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,10 @@ on:
- master
# ESR branches glob pattern
- 20[0-9][0-9].[0-1]?[1470].x
# pull_request_target:
# branches:
# - main
# - master
pull_request_target:
branches:
- main
- master
push:
tags:
# Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH)
Expand All @@ -31,11 +31,17 @@ on:
type: string
default: balena-staging.com

permissions:
id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
packages: read
contents: read

jobs:
yocto:
name: Yocto
uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@d8d6b50ec334769cfc000ef8b619cfb35a5a65d5 # v1.27.8
uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master
# Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events.
# Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork.
# This condition will prevent the workflow from running twice for the same pull request while
Expand Down
16 changes: 11 additions & 5 deletions .github/workflows/raspberrypi400-64.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,10 @@ on:
- master
# ESR branches glob pattern
- 20[0-9][0-9].[0-1]?[1470].x
# pull_request_target:
# branches:
# - main
# - master
pull_request_target:
branches:
- main
- master
push:
tags:
# Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH)
Expand All @@ -31,11 +31,17 @@ on:
type: string
default: balena-staging.com

permissions:
id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
packages: read
contents: read

jobs:
yocto:
name: Yocto
uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@d8d6b50ec334769cfc000ef8b619cfb35a5a65d5 # v1.27.8
uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master
# Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events.
# Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork.
# This condition will prevent the workflow from running twice for the same pull request while
Expand Down
Loading

0 comments on commit 9293e09

Please sign in to comment.